An Coimisiún um 
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Data Protection 
Commission 


DPC Ref: C-19-X-XXX 

ICO Ref: XXXXXXXXX 

Date: 10 November 2020 
Complainant: XX 

Data Controller: Ryanair DAC 


RE: XX V Ryanair DAC 


This document is a decision of the Data Protection Commission of Ireland (“DPC”) in relation 
to DPC complaint reference, C-19-X-XXX (hereinafter referred to as the 
(“Complaint”), submitted by XX (“Complainant”) against Ryanair DAC (“Data Controller’), 
which was referred to the Data Protection Commission of Ireland (“DPC”), in its 
Capacity as lead supervisory authority, by the Information Commissioners Office of the 
United Kingdom (“ICO”), as the concerned supervisory authority with which the complaint 
was lodged. 


This decision is made pursuant to the powers conferred on the DPC by section 113(2)(a) of 
the Data Protection Act 2018 (“the Act’) and Article 60 of the General Data 


Protection Regulation (“GDPR’). . 
Preliminary Assessment of complaint 


1. The complainant initially submitted a complaint to the ICO, which was thereafter 
received by the DPC on 02 March 2019. In their request, the complainant alleged that 
the data controller had failed to comply with a subject access request, submitted to it 
by the complainant on 26 September 2018. In transmitting the complaint to the DPC, 
the ICO advised that the complaint related to the data controller's failure to respond to 
the complainant's access request. The ICO provided the DPC with a copy of the 
complaint form submitted to the ICO by the complainant, a copy of the 
acknowledgement, dated 26 September 2018, that the complainant had received from 
the data controller when submitting the access request, and a copy of the 
complainant's follow up email to the data controller requesting an update in relation to 
their request. 


2. Prior to commencing an investigation into the complaint, the DPC reviewed the 
information provided by the ICO and established that Ryanair DAC, which has its place 
of main establishment in Ireland, was identified as the relevant data controller under 
the GDPR in relation to the complaint, as it determined the purposes and means of the 
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processing of the complainant’s personal data for the purposes of managing their 
customer service query and responding to their access request. 


The data in question was personal data relating to the complainant (consisting of, 
amongst other things, customer service complaints and an access request they had 
submitted to Ryanair DAC) as it related to them as an identifiable natural person. The 
DPC was therefore satisfied that the complaint, as received by the DPC on 02 March 
2019, should be investigated to determine if a breach of the Act and/or GDPR had 
occurred. 


Examination of complaint 


Acting in its capacity as lead supervisory authority, the DPC commenced an 
examination of the complaint by contacting the data controller via email on 19 March 
2019. In our correspondence, the DPC outlined the details of the complaint as set out 
by the ICO. 


In our communication, the DPC advised the data controller that the scope of the 
complaint related to an allegation made by the complainant that the data controller had 
failed to respond to a subject access request, dated 26 September 2018, submitted to 
it by the complainant. The DPC also provided the data controller with details of the 
online portal reference number that the complainant received from the data controller 
following their request. 


In order to progress the matter the DPC instructed the data controller to respond to the 
access request in full and to provide this office with a copy of the cover letter that issued 
to the complainant. 


In its response to the DPC dated 02 April 2019, the data controller provided the DPC 
with a copy of a cover letter dated 02 April 2019, that issued to the complainant in 
relation to their access request. In its correspondence to the complainant, the data 
controller advised that had it received the access request dated 26 September 2018, 
in which the complainant had requested access to all data and specifically all data, 
including call recordings, relating to a specific booking reference. 


With its letter of 02 April 2019, the data controller provided the complainant with access 
to copies of their personal data relating to the specific booking reference the 
complainant had provided to the ICO and data relating to a separate complaint. The 
data controller advised that it could not provide the complainant with a copy of the call 
recording they had requested as, due to the delay on the data controller’s part in 
processing the request, the call recording had been deleted in accordance with 
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company policy and they had been unable to retrieve it. The data controller advised 
the DPC that it had informed the complainant of this via its online portal on 22 February 
2019. The data controller stated that the delay in processing the access request was 
caused by human error as the agent who had opened and was processing the access 
request, had ceased working on the data controller’s online portal prior to completing 
the request and had failed to reassign the request to another agent. The data controller 
advised the DPC that it has reviewed its process to ensure that this error would not 
occur again and that the assignment of a request is no longer dependant on agent 
(human) action. 


This office reverted to the data controller with further queries relating to its procedure 
regarding access requests for call recordings. 


The data controller responded to the DPC’s queries stating that it had acknowledged 
the request on 27 September 2018 and requested that the complainant verify their 
email address. The data controller stated that at the time the request was submitted, 
due to the volume of data subjects who did not verify their email address, access 
requests were not assigned to the relevant department until the email was verified by 
the data subject. The data controller advised this office that the complainant responded 
to the request, verifying their email address, but the agent who was working on the 
request had ceased working on the online portal and therefore the request had not 
been assigned to the relevant department. The data controller asserted that this error 
was not discovered until December 2018, when the request was then assigned to the 
Customer Services department to provide the necessary data, including the call 
recording, at which point the call record had been deleted in accordance with the data 
controller’s retention policy. 


The data controller provided the DPC with a copy of its retention policy, in which it 
states that call recordings are retained for a period of 90 days from the date of the call. 
The data controller advised that, as the complainant’s call had been made on 05 
September 2018, it would have been automatically deleted on 04 December 2018. The 
data controller further stated that it does not have the functionality to retrieve deleted 
call recordings. 


The data controller advised this office that it would now include wording in its “Contact 
Us FAQ’s” on its website, which is the central location for the data controller's contact 
numbers, including the phone numbers for the main Customer Support for each 
market, advising customers that call recordings will be deleted from the system after 
90 days. The data controller stated that customers looking to contact its call centres 
need to access this page in order to obtain the appropriate number and the notification 
would be prominent and visible at that point. 
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Throughout the handling of the complaint, the DPC kept the complainant informed of 
the progress of the complaint via updates transmitted to the ICO. 


The DPC provided the data controller with a copy of the draft decision in relation to the 
complaint by way of email on 03 April 2020, inviting it to provide final submissions in 
relation to the matter by close of business 17 April 2020. 


The data controller provided its final submission by way of email dated 21 April 2020. 


In its submission, the data controller stated that the complainant’s access request, 
submitted through the data controller’s online portal on 26 September 2018, stated “/ 
would like ALL data included recorded calls relating to booking CR8E6F”. The data 
controller advised the DPC that the request was not limited to recordings of phone calls 
made by the complainant. 


The data controller also submitted that the draft decision did not reflect the chronology 
of events and asserted that, in response to the complainant's access request, prior to 
receipt of the DPC’s initial correspondence, the data controller had previously provided 
various records to the complainant via its online portal on both 10 January 2019 and 
18 February 2019. The data controller asserted that the records provided contained 
the complainant’s personal data and included letters, a written complaint and web chat 
transcripts relating to a specific booking reference. The data controller stated that, in 
the course of these communications with the complainant, and in a further 
communications on 22 February 2019 and 04 March 2019 via the data controller’s 
online portal, the data controller had also made it clear to the complainant that it was 
no longer in a position to provide call recordings, as they had been deleted and 
explained the reasons for this (i.e. that the data controller had not located the 
recordings prior to the 90 day deletion period elapsing). The data controller advised 
that in its communication to the complainant on 04 March 2019 it had also apologised 
to the complainant for any inconvenience caused. In addition, the data controller also 
stated that it liaised with the complainant in September and October 2019, in parallel 
to their access request, in an attempt to resolve their underlying customer service 
complaint. 


The data controller highlighted the steps that it had taken in response to the 
complainant's access request and suggested that they be considered as mitigating 
factors by the DPC when making its decision. These steps were: 


a) providing various written records containing the complainant’s personal data 
to them in January and February 2019; 4 
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b) explaining to the complainant on more than one occasion the reasons for its 
inability to provide the call recordings to them; 

c) providing an apology to the complainant for any inconvenience caused; 

d) making various alterations to its data processing systems to avoid any repeat 
of the human error that caused the failures highlighted in the complaint; 

e) adopting measures to ensure enhanced transparency concerning its retention 
of call recordings; and 

f) that it had co-operated with the DPC in respect of our investigation into this 
matter. 


Complaint handling process 


In accordance with section 109(2) of the Act, the DPC is mandated to attempt to 
amicably resolve complaints where there is a reasonable likelihood of amicable 
resolution being reached within a reasonable time. If the complaint is not amicably 
resolved the DPC will take such action(s) as the Commission considers appropriate as 
set out in section 113 of the Act. Whilst the DPC engaged in such efforts, in this case 
the complainant notified the ICO they were unsatisfied with the apology put forward by 
the data controller in an attempt to amicably resolve the subject matter of the 
complaint. 


Communication of draft decision to “supervisory authorities concerned” 


In accordance with Article 60(3) of the GDPR, the DPC is obliged to communicate the 
relevant information and submit a draft decision, in relation to a complaint regarding 
cross border processing, to the supervisory authorities concerned for their opinion and 
to take due account of their views. 


In accordance with its obligation, the DPC transmitted a draft decision in relation to the 
matter to the “supervisory authorities concerned” on 25 May 2020. As Ryanair DAC 
offers goods and services across the EU, and therefore the processing is likely to 
substantially affect data subjects in every EU member state, the DPC in its role as LSA 
identified that each supervisory authority was a supervisory authority concerned as 
defined in Article 4(22) of the GDPR. On this basis, the draft decision of the DPC in 
relation to this complaint was transmitted to each supervisory authority in the EU and 
EEA for their opinion. 


Subsequently, the DPC received a number of “relevant and reasoned objections” from 
different supervisory authorities concerned within the statutory timeframe of four weeks 
pursuant to Article 60(4). Further, the DPC also received a number of opinions from 
other supervisory authorities concerned in relation to the draft decision. 
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Summary of opinions received from “supervisory authorities concerned” 


The DPC received formal relevant and reasoned objections in relation to the draft 
decision, pursuant to Article 60(4) of the GDPR, from three supervisory authorities 
concerned; 

e Berliner Beaftragte fur Datenschutz und Informationsfreiheit (Berlin DPA); 

e Comissão Nacional de Protecção de Dados (Portuguese DPA); and 

e the Office of Personal Data Protection (UODO) of Poland. 


The DPC also received a number of opinions, which were not expressed as formal 
objections, in relation to the draft decision from five other supervisory authorities 
concerned; 

e Garante Per La Protezione Dei Dati Personali (the Italian DPA); 

e Nemzeti Adatvédelmi és Informacidszabadsag Hatóság (the Hungarian DPA); 

e Datatilsynet (Danish DPA); 

e Autorité de Protection de Données (Belgian DPA); and 

e Autoriteit Persoonsgegevens (Dutch DPA). 


In its relevant and reasoned objection the Berlin DPA opined that the DPC’s draft 
decision failed to make a substantive assessment of what it considered to be additional 
infringements by Ryanair DAC of Article 32(1) and Article 32(4) of the GDPR. The 
Berlin DPA stated that, due to Ryanair DAC’s insufficient technical, organisational and 
human resource measures to ensure the security of data processing, the information 
provided to the complainant was incomplete. 


In its opinion, the Italian DPA stated that the human error that led to the failure to reply 
to the subject access request within the statutory timeframe clearly shows that 
organisational and technical issues existed internally, such as to give rise to an 
accountability issue under Article 24(1). 


Further, in the relevant and reasoned objections raised by the supervisory authorities 
concerned, the Berlin DPA, the Portuguese DPA and UODO all noted that the DPC 
had found that an infringement of the GDPR occurred. On this basis, the 
aforementioned supervisory authorities concerned advocated for the exercise of a 
corrective power by the DPC, especially in circumstances where the infringements 
related to the exercise of data subject rights. This opinion was also expressed by the 
Italian DPA, the Hungarian DPA, the Danish DPA and the Belgian DPA in the 
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comments submitted by these supervisory authorities in relation to the DPC’s draft 
decision. 


Finally, in its opinion on the DPC’s draft decision, the Dutch DPA submitted the view 
that supervisory authorities are free to structure their complaint handling as they wish 
and that finding a breach of the GDPR does not automatically mean that a corrective 
measure needs be imposed. The DPC notes this view, and considers that no further 
analysis of the Dutch DPA’s opinion is required in this regard. 


Analysis of opinions received from “supervisory authorities concerned” 


Having carefully considered the opinions of the supervisory authorities concerned, the 
DPC has completed a careful in-depth analysis of the opinions and concerns raised, 
both in the context of formal relevant and reasoned objections pursuant to Article 60(4) 
and in opinions submitted in relation to the DPC’s draft decision. 


The DPC has given careful consideration to the opinions of both the Berlin DPA and 
the Italian DPA in relation to their assertions that Ryanair DAC had further contravened 
the GDPR and has completed the following analysis. 


In its submission the Berlin DPA stated that “Due to Ryanair's insufficient technical, 
organisational and human resource measures to ensure the security of data 
processing, the information provided to the complainant was late and incomplete. 
According to points 8, 10 and 26 of the DPC's Draft Decision, Ryanair was late in 
informing the complainant of his data held by Ryanair within the meaning of Art. 15(1) 
GDPR due to ‘human error’. The agent who had initially handled the access request 
until the end of his work on the online portal forgot to assign the access request to 
another agent after his departure. The answer to the re-quest was hence only made 
by letter of 2 April 2019. Additionally, due to the delay in providing the information, the 
complainant could not be provided with the recording of his or her call of 5 September 
2018, as calls are irrevocably deleted 90 days after their recording due to Ryanair's 
internal deletion deadlines. Within the one-month period resulting from Art. 12(3) 
GDPR, Ryanair would therefore have been able to make the call available to the 
complainant. Hence, this additionally constitutes an infringement by Ryanair of Art. 
32(1) and (4) GDPR.” 


Article 32 of the GDPR relates to the security of processing of personal data. More 
specifically, Article 32(1) of the GDPR states that a data controller shall implement 
appropriate technical and organisational measures to ensure a level of security 
appropriate to the risk. Further, Article 32(4) states that the controller shall take steps 
to ensure that any natural person acting under the authority of the controller who has 
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access to personal data does not process the data except on instructions from the 
controller, unless he or she is required to do so by Union or Member State law. 


The DPC notes that in this instance the data controller failed to respond to an access 
request submitted by the data subject within the statutory timeframe and that this 
failure to respond was caused by an employee failing to follow internal organisational 
procedures. The DPC also notes that the failure to respond to the data subject’s access 
request within the statutory timeframe resulted in an irrevocable deletion of the data 
subjects personal data, as it was deleted in line with the data controllers 90 day 
retention period for call recordings. While the DPC notes that the employee’s failure to 
follow the organisational measures in place resulted in the deletion of the data subject’s 
personal data, the DPC does not consider that there is any evidence to suggest that 
the employee’s failure to follow the organisational measures in place resulted in any 
risk to the security of the personal data being processed, as the data was destroyed in 
line with the data controller’s retention period. The DPC also considers that there is no 
evidence to suggest that the employee of the data controller processed the data 
subject’s personal data outside of the instructions of the data controller, in 
circumstances where the employee failed to process the data subject’s access 
request. As such, the DPC finds no basis to agree with the opinion of the Berlin DPA 
that Ryanair DAC contravened Article 32(1) and Article 32(4) of the GDPR. Further, in 
the course of the DPC’s examination of this complaint, an alleged infringement of 
Article 32(1) and Article 32(4) of the GDPR was not raised as a ground of complaint 
and did not form part of the DPC’s complaint-handling process; as such, an 
examination of Ryanair DAC’s compliance with Article 32(1) and Article 32(4) of the 
GDPR falls outside the scope of the complaint and of this decision. On this basis, the 
DPC does not propose to follow this objection. 


In its opinion, the Italian DPA expressed the opinion that the human error that caused 
the failure to reply to the data subject’s access request in due time clearly shows that 
issues existed in relation to the data controller’s technical and organisational 
measures. The Italian DPA also stated that the risk at issue, namely the fact that an 
operator leaving the company and in charge of complaints handling would not be 
immediately replaced to ensure the seamless handling of such complaints, had not 
been tackled by the data controller beforehand, and that the issue was only resolved 
following the intervention of the DPC in relation to this complaint. The Italian DPA 
expressed the opinion that such an internal issue would give rise to an accountability 
issue under Article 24(1) GDPR. 


The DPC notes that, in the course of the DPC’s examination of this complaint, an 
alleged infringement of Article 24 was not raised as a ground of complaint and did not 
form part of the DPC’s complaint-handling process; as such, an examination of Ryanair 
DAC’s compliance with Article 24 falls outside the scope of the complaint and of this 
decision. On this basis, the DPC does not propose to follow the Italian DPA’s opinion. 
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The DPC also notes that, in their opinions the Berlin DPA, the Portuguese DPA and 
the UODO all advocated for the exercise of a corrective power by the DPC, especially 
in circumstances where the infringements related to the exercise of data subject rights. 
Further, the DPC notes that this opinion was also expressed by the Italian DPA, the 
Hungarian DPA, the Danish DPA and the Belgian DPA in the comments submitted by 
the supervisory authorities in relation to the DPC’s draft decision. 


Article 58 of the GDPR provides supervisory authorities with certain powers in relation 
to the investigation and enforcement of the GDPR. Specifically, Article 58(2)(b) 
provides that supervisory authorities shall have the power to issue reprimands to a 
controller or processor where processing operations have infringed provisions of the 
GDPR. Further, Recital 129 of the GDPR states that measures, such as corrective 
powers, “should be appropriate, necessary and proportionate in view of ensuring 
compliance with this Regulation”. 


In assessing whether the application of a corrective power is appropriate, necessary 
and proportionate in this case, | have had regard to the specific circumstances of this 
complaint. | note that the failure to comply with the complainant’s access request was 
the result of a human error and that the data controller has reviewed it’s technical and 
organisational measures and has put in place further measures to ensure an 
infringement of this nature does not occur again. However, it is important to note that, 
due to this human error, the data controller was irrevocably unable to comply in full 
with the data subject’s access request. | consider that the irreversible deletion of the 
data subject’s personal data, contained in a call recording, presented a risk to the 
fundamental rights and freedoms of the data subject as it prevented the data subject 
from ever being able to exercise full control over their personal data. On this basis the 
DPC considers it appropriate, necessary and proportionate to issue a reprimand to the 
data controller in this instance, taking into account the mitigating measures put in place 
by the data controller and the risk to the fundamental rights and freedoms of the data 
subject. 


Communication of revised draft decision to the data controller 


In light of the opinions received from the supervisory authorities concerned, the DPC 
revised its draft decision to include a summary and analysis of the opinions expressed 
by the supervisory authorities concerned, as detailed in paragraphs 23 to 38 above. 


The DPC provided the data controller with a copy of both the revised draft decision 
and the opinions of the supervisory authorities concerned by way of email on 01 
October 2020. The DPC invited the data controller to provide any final submissions in 
relation to the matter by close of business 15 October 2020. 
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The data controller responded to the DPC by way of email dated 14 October 2020. 


In its response, the data controller noted that the DPC had found that it had infringed 
the GDPR, as set out at paragraph 52 below, and that the DPC had exercised its 
powers in this case in line with Recital 129 and the due process requirements in Article 
58 of the GDPR. The data controller advised the DPC that it accepted the findings and 
the associated reprimand. 


In light of the above the data controller advised the DPC that it did not wish to make 
any final submissions in relation to the revised draft decision. 


Applicable Law 


Article 15 of the GDPR provides for an individual’s right of access. Article 15(3) states 
that “The controller shall provide a copy of the personal data undergoing processing” 


Article 4(2) of the GDPR defines processing as “any operation or set of operations 
which is performed on personal data or on sets of personal data, whether or not by 
automated means, such as collection, recording, organisation, structuring, storage, 
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, 
dissemination or otherwise making available, alignment of combination, restriction, 
erasure or destruction”. 


Further, Article 12(3) of the GDPR states that “The controller shall provide information 
on action taken on a request under Articles 15 to 22 to the data subject without undue 
delay and in any event within one month of receipt.” 


Article 12(3) further states that “That period may be extended by two further months 
where necessary, taking into account the complexity and number of the requests. The 
controller shall inform the data subject of any such extension within one month of 
receipt of the request, together with the reasons for the delay. “. However, | note that 
the data controller never notified the complainant of any such extension in this 
instance. 


Findings of Investigation 


During the investigation of the complaint, the DPC established that the complainant 
had submitted an access request to the data controller via its online portal on 26 
September 2018. The complainant received an acknowledgment of receipt of their 
access request from the data controller on 27 September 2018. 
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The data controller provided the complainant with its initial response containing the 
complainant's personal data on 10 January 2019. 


Further, in relation to the call recordings requested by the complainant, the data 
controller advised the DPC that call recordings are retained for a 90 day period from 
the date of the call. As the complainant made a call to the data controller on 05 
September 2018 and submitted an access request to the data controller on 26 
September 2018, some 21 days later, the complainant’s personal data, contained ina 
call recording would have been undergoing processing by the data controller as the 
data controller was storing it. Therefore, this data should have been provided to the 
data subject in response to their access request. 


The investigation found that the data controller failed to provide the complainant's 
personal data within one month of their request. Further, the data controller failed to 
notify the complainant of any extension to the statutory timeframe allowed for under 
Article 12(3) of the GDPR. 


Decision on infringements of the GDPR 


Following the investigation of the complaint against Ryanair DAC, | am of the opinion 
that it infringed the General Data Protection Regulation as follows: 


e Article 15 of the General Data Protection Regulation when it failed to provide 
the complainant with a copy their personal data that was undergoing 
processing at the time of the request. 

e Article 12(3) of the General Data Protection Regulation in that it failed to 
provide the complainant information on action taken on their request under 
Article 15 within the statutory timeframe of one month. 


Remedial measures undertaken by Ryanair DAC 


In respect of these infringements, it is noted that Ryanair DAC has taken certain 
remedial measures. With regards to Ryanair DAC’s 90 day retention period for call 
recordings, the DPC notes that Ryanair DAC has placed a notice on its website page 
where its contact numbers are located notifying users of this 90 day retention period. 


Regarding the infringement of Article 15, Ryanair DAC has informed the DPC that it 
has put in place measures to ensure that an access request assignment no longer 
requires human action and therefore, an access request will not be overlooked due to 
human error. 
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Exercise of corrective power by the DPC 


55. In light of the extent of the infringements identified above, the DPC hereby 
issues a reprimand to Ryanair DAC, pursuant to Article 58(2)(b) of the GDPR 


Yours sincerely, 
site 


John O’Dwyer 
Deputy Commissioner 


On behalf of the Data Protection Commission 


12 


